ColdFusion 2021 Data Source - An SSL socket connection could not be established because JRE 1.4

Hi Priyank,

I updated the ValidateServerCertificate to false and received the same error.

I know this is from several months ago, but Brad you say here to Priyank that setting ValidateServerCertificate=false did NOT work, but the next day you wrote in messages with bkbk that it DID work.

I know in the end you got the certs working, but I want to chime in here to note that this HAS been the solution to that "JRE 1.4" error for some folks, so if they find this thread, they should not dismiss it as a possible option. 🙂

If you or anyone seeing this may have more to say on this, I'm sure many would welcome the discussion. 

Hi BKBK,

I exported the certificate from the database server as a <DBServerName>.cer and imported it to C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts

I changed the connection string to the following.

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;TrustStorePassword=<Password>;HostNameInCertificate=<hostname>

Still receiving the same error.

Hmm. What happens when you try

C:\ColdFusion2021\jre\lib\security\cacerts

Hi BKBK,

I added the certificate to C:\ColdFusion2021\jre\lib\security\cacerts using the keytool in C:\ColdFusion2021\jre\bin. I also updated the connection string to point to C:\ColdFusion2021\jre\lib\security\cacerts. That didn't work either.

A few other tests I tried while troubleshooting.

In an attempt to get a different error message I tried pointing to keystores that didn't exist. I tried adding incorrect passwords. All resulting in the same error.

If I remove the TrustStore and just use:

EncryptionMethod=SSL;ValidateServerCertificate=true;

I get the following error:

Connection verification failed for data source: <DBName>
java.sql.SQLException: Timed out trying to establish connection

If I change ValidateServerCertificate to false without the TrustStore it connects. Our security team has asked that we verify the certificate so I tried a few more tests. It seems to be consistent that when I pass the TrustStore with any value I receive the original error message.

Hi BKBK,

When I tried using cacerts instead of the <DBServerName>.keystore file I did change to a different import command. I used the following:

keytool -import -trustcacerts -alias <DBServerName> -file C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.cer -keystore cacerts

I also had to export the certificate from the Database Server as a 'cer' because the 'pfx' certificate was giving me the following error:

keytool error: java.lang.Exception: Input not an X.509 certificate

Without the password parameter I am prompted to enter the password. I removed my cacerts file and added an original back and tried the following import command:

keytool -import -alias <DBServerName> -file C:\ColdFusion2021\jdk-11.0.15.1\lib\security\<DBServerName>.cer -keystore C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts -storepass <MyPassword>

I used the following connection string when testing the cacerts file:

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;TrustStorePassword=<MyPassword>;

Still getting the same error.

Wondered whether you should then use Keystore=... instead of Truststore=...

I tried Keystore instead of TrustStore this morning with both the <DBServerName>.keystore and cacerts file. Unfortunately I am still receiving the original error.

Could it be that it is sufficient to import the certificates, and not include any certificate details as JDBC quesry-string?

Hi BKBK,

When I leave out the certificate details I get a timeout error unless I also set ValidateServerCertificate to false. Without validation is there a reason to import the certificates?

OK. You have all the ingredients to get this to work. I get the impression we're overlooking something. 

Starting afresh: 

1.  List the certificates currently in cacerts.
   To do so, run the keytool command: keytool -list -v -cacerts 
   Take my case, for example. I am on CF2021 Update 4 on Windows. The Java that my CF installation uses is C:\Program Files\Java\jdk-11.0.15.1 (To verify your CF's Java, check the value of java.home in /bin/jvm.config )
   So, to list the certificates in cacerts, I proceed as follows:
   1(a) Open CMD as administrator;
   1(b) Use cd command to navigate in DOS to C:\Program Files\Java\jdk-11.0.15.1\bin;
   1(c) Run DOS command: keytool -list -v -cacerts > C:\Users\BKBK\Desktop\outputfile.txt
   The result is that a list of the certificates is dumped on my desktop as outputfile.txt.
   
   
2. After you do same on your side, confirm that all the required certificates have been imported.
   
   
   

Hi BKBK,

When I leave out the certificate details I get a timeout error unless I also set ValidateServerCertificate to false. Without validation is there a reason to import the certificates?

By @Brad23632070vu7s

I see your point. I would leave it at ValidateServerCertificate=true

 

I used the following connection string when testing the cacerts file:

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;TrustStorePassword=<MyPassword>;

Still getting the same error.

By @Brad23632070vu7s

This time you omitted HostNameInCertificate.

Could you please try that again, proceeding as follows:

1.  Restart ColdFusion;
2.  Use the connection string,
   EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;HostNameInCertificate=CerficateServerHostName;TrustStorePassword=YourPassword

 
HostNameInCertificate=CerficateServerHostName;

By @BKBK

Verify the correct value CerficateServerHostName as follows:

1.  Browse to the website whose certificate you've imported. I shall assume you use Chrome to do so.
2.  Click on the padlock symbol in the top left-hand corner of the browser's address field.
3.  Click on "Connection is secure".
4.  Click on "Certificate is valid", then on the "Details" tab.
5.  Read off the value of the "Subject" field. That is the value that you should use as HostNameInCerficate

Hi BKBK,

I verified the java home in jvm.config:
java.home=C:/ColdFusion2021/jdk-11.0.15.1

I confirmed the certificate is in outputfile.txt.

I verified the host name I am using matches the subject in the certificate.

I restarted ColdFusion and tried the following connection string:

EncryptionMethod=SSL;ValidateServerCertificate=true;TrustStore=C:\ColdFusion2021\jdk-11.0.15.1\lib\security\cacerts;HostNameInCertificate=<subjectInCertificate>;TrustStorePassword=<MyPassword>

Still seeing the original error.

Let's assume for the moment that the connection string is good. 

Take a look at the datasource settings in the Administrator (corresponding to the connection string).  Test by setting server equal to the IP of the database server.

I am glad to hear it now works. Thanks for documenting your findings and for sharing the solution.

Were you able to discern why this is working?

I ran into a similar situation in ColdFusion 2023.  I eventually got it to work.  The abbreviated version of the connection string worked.  I added the HostNameInCertificate and that worked as well.  If I changed the hostname to something invalid, I got the error message you indicated.

I'm confused as to why this is working, though. How is it validating without knowing which TrustStore is being used and without being provided a password with which to access the TrustStore?  I decided to change the password for the cacerts to see if that impacted anything and it did not.  If it does use cacerts, does Java have access to the password?